Summary

This article describes several symptoms that you may experience if the computer is running the Spyware.Service.MiscrosoftUpdate (Trojan) rootkit spyware. To remove the Trojan virus, you must identify the files that cause this problem and then rename the files.

The user-mode (spyware) components Msupd*.exe and Reloadmedude.exe can be cleaned by some antivirus or anti-spyware programs as soon as the hidden driver is renamed. The hidden driver may be named "gbqxhia.sys," "upzvlbvv.sys," "jsbmefvk.sys," or some other random file name that contains only lowercase letters.

Several anti-spyware programs that can detect this virus are listed in the "More Information" section.

Symptoms

You may experience one or more of the following symptoms:

The computer automatically restarts.

After you log on, you receive the following error message:

Microsoft Windows

The system has recovered from a serious error. A log of this error has been created. Please tell Microsoft about this problem. We have created an error report that you can send to help us improve Microsoft Windows. We will treat this report as confidential and anonymous. To see what data this error report contains, click here.

If the error message remains on the screen, click the "click here" link at the bottom of the message box if you want to see the data that the error report contains. If you do this, you see error signature information that may be similar to the following:

A problem has been detected and Windows has been shut down to prevent damage to the computer Technical information: *** STOP: 0x00000050 (0xeb7ff002, 0x00000000, 0x8054af32, 0x00000001) PAGE_FAULT_IN_NONPAGED_AREA nt!ExFreePoolWithTag+237

The System log records an event that is similar to the following:

Notes

The symptoms of a Stop error vary according to the failure options of the computer system.For more information about how to configure system failure options, click the following article number to view the article in the Microsoft Knowledge Base:

307973 How to configure system failure and recovery options in Windows

The four parameters that are included in the error signature information (BCPn) and inside the parentheses of the technical information for the Stop error may vary according to the computer's configuration.

Not all stop 0x00000050 errors are caused by the problem that is described in the "Cause" section.

Cause

This error message is caused by a kernel driver that is installed by the following known rootkit spyware programs:

Msupd5.exe

Reloadmedude.exe

Resolution

To resolve this problem, use one or more of the following methods. The methods are listed in the preferred order.

Method 1: Rename the malicious driver by using Internet Explorer

Open Internet Explorer.

In the Address box, type %windir%\system32\drivers, and then press ENTER.

Locate the randomly named .sys file, right-click the file, and then select Rename.

Type malware.old to rename the file, and then press ENTER.

In the Address box, type \WINDOWS\system32, and then press ENTER.

Locate and then rename the following files, if they exist:

Msupd5.exe. Rename this file Msupd5.old.

Msupd4.exe. Rename this file Msupd4.old.

Msupd.exe. Rename this file Msupd.old.

Reloadmedude.exe. Rename this file Reloadmedude.old.

Close Internet Explorer.

Restart the computer.

Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

Method 2: In Safe Mode, rename the malicious driver by using My Computer

Start the computer in Safe Mode. To do this, follow these steps:

Restart the computer.

As the computer starts, press the F8 key repeatedly (one time per second).This action will cause the Microsoft Windows Advanced Startup Menu options to appear.

Use the UP ARROW and DOWN ARROW keys to highlight Safe Mode, and then press ENTER.

Open Internet Explorer

In the Address box, type %windir%\system32\drivers, and then press ENTER.

Enable the viewing of hidden files. To do this, follow these steps:

Click Start, and then click My Computer.

On the Tools menu, click Folder Options.

On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.

Under Hidden files and folders, click Show hidden files and folders.

Click to clear the Hide extensions for known file types check box.

In the Folder views area, click Apply to All Folders, and then click OK.

Locate the folder named C:\%windir%\System32\Drivers.

Locate any .sys file that has the following characteristics:

A randomly generated file name that is made up of eight lowercase letters, such as "gbqxmhia.sys," "upzvlbvv.sys," or "jsbmefvk.sys"

A date of January 11, 2005

A size of 14 KB (13,824 bytes)

A hidden attribute that is set

Note A file that has its hidden attribute set displays an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b of the procedure that is described in the "More information" section.

It has no version, product name, or manufacturer information.

For each file that you locate, right-click the file, and then select Rename.

Type malware1.old to rename the first file, and then press ENTER.

Note Type malware2.old to rename the second file, type malware3.old to rename the third file, and so on.

Locate the %windir%\System32 folder.

Rename the following files, if they exist:

Msupd5.exe. Rename this file msupd5.old.

Msupd4.exe. Rename this file Msupd4.old.

Msupd.exe. Rename this file Msupd.old.

Reloadmedude.exe. Rename this file Reloadmedude.old.

Restart the computer.

Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

Method 3: In Safe Mode, rename the malicious driver by using the command prompt

Start the computer in Safe Mode. To do this, follow these steps:

Restart the computer.

As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.

Use the UP ARROW and the DOWN ARROW keys to select Safe Mode with Command Prompt, and then press ENTER.

Click Start, click Run, type cmd in the Open box, and then click OK.

At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.

Type Dir /ah, and then press ENTER.

You will see text that is similar to the following text. The .sys file name will be randomly generated.

Type Attrib –s –h RandomFilename, and then press ENTER. This action removes the system attributes and the hidden attributes from the file.

Note The placeholder RandomFilename represents the name of the .sys file that is displayed after you perform step 5. For example, for the file name that is specified in the example in step 5, you would type Attrib –s –h gbqxmhia.sys.

Type Ren RandomFilename malware.old, and then press ENTER. This action renames the randomly named file.

Type CD, and then press ENTER. This changes the command line to the %windir%\System32 folder.

Type the following commands one at a time, and then press ENTER after you type each command:Ren msupd5.exe msupd5.old

Ren msupd4.exe msupd4.old

Ren msupd.exe msupd.old

Ren reloadmedude.exe reloadmedude.oldNote If you receive the following error message, you can safely ignore the message, because it indicates that the targeted file does not exist:

The system cannot find the file specified.

Type Exit, and then press ENTER.

Restart the computer.

Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

More Information

To verify whether the computer is infected with this spyware, follow these steps:

Start Internet Explorer.

In the Internet Explorer Address box, type %windir%\system32\drivers, and then press ENTER.

Change the way that Windows displays hidden files and protected operating system files. To do this, follow these steps:

On the Tools menu, click Folder Options.

On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.

Under Hidden files and folders, click Show hidden files and folders.

Click to clear the Hide extensions for known file types check box.

Click to select the Display the contents of system folders check box, and then click OK.

On the View menu, click Details.

Press F5 to update the Drivers folder display.

Locate any system files (files that have a .sys extension in the name) that have their hidden attribute set and are missing details regarding product name, company, and file version.

Note Files that have their hidden attribute set display an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b.

To do this, follow these steps.

Note The spyware file may appear to have a randomly generated file name that is made up of eight lowercase letters.

Change the way that Windows Explorer displays details for the files in the folder. To do this, follow these steps:

On the View menu, click Choose Details.

Click to select the Attributes check box.

Click to select the Product Name check box.

Click to select the Company check box.

Click to select the File Version check box.

Click the Attributes column heading to sort the list of files by attributes. Files in the Drivers folder typically contain only the archive attribute (A). Look for any files that also have the hidden attribute (HA). The following list contains example names of spyware files that are known to cause this problem:

gbqxmhia.sys

upzvlbvv.sys

jsbmefvk.sys

After you locate a file that you suspect is a spyware file, verify the properties of the file by using the Properties dialog box. Right-click the file, click Properties, and then look for the following information:

On the General tab:

Modified : January 11, 2005

Size: 14 KB (13,824 bytes)

A check mark in the Hidden check box

On the Version tab:

No file version

No description

No copyright

No company name

No product name

If a file has the hidden attribute set and is also missing details regarding product name, company, and file version, the computer is infected with the spyware.

Click OK to close the Properties dialog box, and then follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.

In the Internet Explorer Address box, type %windir%\system32, and then press ENTER.

Look for application files (files that have an .exe extension in the name) that have names that are similar to the following:

Msupd.exe

Msupd*.exe

Note The placeholder * represents a single-digit number

Reloadmedude.exe

These files will have a random date and a size of 60 KB (61,440 bytes). Known names of the spyware files include the following file names:

Msupd.exe

Msupd4.exe

Msupd5.exe

Reloadmedude.exe

If one or more of these files exist, the computer is infected with the spyware. Follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.

Security products that detect this spyware

Several security products detect this spyware. Examples of these products and the reported spyware names include the following:

Product

Reported spyware name

Microsoft AntiSpyware

Spyware.Service.MiscrosoftUpdate (Trojan)

Computer Associates

Win32/Benuti.61440!Downloader!Dr

Doctor Web DrWebCL

Trojan.Medude

F-Secure

Trojan.Win32.Agent.aw

Kaspersky Lab AVPDOS32

Trojan.Win32.Agent.aw

McAfee

Downloader-va

Panda

Trj/Agent.FO and Adware/Apropos

Trend Micro VScan

TROJ_LODMEDUD.A

Symantec

Trojan.Lodmeduod

References

For more information about the Microsoft AntiSpyware product, click the following article numbers to view the articles in the Microsoft Knowledge Base: